Amplification DDoS Attacks Increase in Q1 2018

Kaspersky Lab’s latest quarterly report is out, and its researchers noted a sharp increase in the popularity of amplification DDoS attacks, in addition to a growth in old and new botnets.

Kaspersky’s interest in amplification attacks was piqued when its DDoS Protection support team was contacted by a company who had been experiencing an unusually high load on its communications channel in what it thought must be a DDoS attack. Initially, Kaspersky agreed that it was a DDoS attack: the channel was clogged and users couldn’t reach the company’s services. However, a deeper search revealed that a vulnerable Memcached service was installed on one of the company’s CentOS Linux servers. Cybercriminals had exploited the service to generate huge amounts of outbound traffic that was overloading the channel. Thus the client was not the actual target, but rather in Kaspersky’s words, “an unwitting accomplice in the DDoS attack: the attackers used its service as an amplifier”. The parasitic traffic came to a halt after Kaspersky Lab’s recommendations were followed.

A series of attacks, which hit GitHub and an unknown service provider in early March, produced record numbers of illegitimate traffic – over 1 TB/s, as a result of leveraging Memcached.

Nonetheless, the number of vulnerable servers that can be used for this type of attack is in rapid decline because owners of servers susceptible to Memcaching are increasingly patching any vulnerabilities to prevent further downtime losses. NTP and DNS-based boosting has also largely disappeared due to efficient patching.

Nonetheless, Kaspersky still reported that the Q1 picture shows that amplified attacks, which were previously in decline, have once again renewed momentum. Its researchers expect cybercriminals to seek out additional non-standard amplification methods asides from these methods. They give an example of a fairly rare type of amplification attack they observed last quarter, in which the LDAP service was used as an amplifier. Although there are a very relatively small number of LDAP servers available, Kaspersky warned its readers that “this type of attack could be a hit on the shadow Internet in the coming months” as its service has one of the biggest amplification factors, alongside Memcached, NTP and DNS.

Kaspersky’s report also showed growth in the Reaper (or IoTroop) botnet and the emergence of new variants of Mirai and Satori (also known as Okiru), without accompanying details thus far. Several other new DDoS types were identified, including DoubleDoor, which Kaspersky describes as “the first known piece of ‘wild’ malware’ to bundle two IoT vulnerabilities together.”

The number of mixed attacks that utilized several botnet groups also increased, showing that attackers are unafraid to utilized unused parts of botnets to generate illegitimate traffic and redeploy them across different targets.